PDF《Usable Security》

1 Usable Security Through Isolation Collège de France April 6,

2011 Butler Lampson Microsoft Research

6 April

2011 Lampson:

6 April

2011 Lampson:

2 Usable Security: Things Are Really Bad ? Users don'

t know how to think about security ? User experience is terrible ? Lots of incomprehensible choices ? Just say DOK‖ ? A few examples: ? Windows Vista User Account Control ? Windows root certificate store ? User interface for access control on files ? Password phishing ? Client certificates for SSL ? Signed or encrypted email ? In general, more secure = less usable The Best is the Enemy of the Good ? Security is fractal ? Each part is as complex as the whole ? There are always more things to worry about ? See Mitnick'

s Art of Deception, ch.

16 on social engineering ? Security experts always want more― ? More options : There'

s always a plausible scenario ? More defenses: There'

s always a plausible threat ? Users just want to do their work ? If it'

s not simple, they will ignore it or work around it ? If you force them, less useful work will get done

6 April

2011 Lampson:

3 Usable Security Is About Economics ? Security is about risk management, not an absolute ? There'

s benefit, and there'

s cost ? We don'

t measure either one ? Compare credit cards: fraud detection, CCVs, chip-and-PIN ? The cost is not mostly in budgeted dollars ? If you want security, you must be prepared for inconvenience. ―General B. W. Chidlaw,

12 Dec.

1954 ? Tight security → no security ? Sloppy users are doing the right thing ? With today'

s poor usability, the cost of security is high ? And the benefits of better security are quite low ? Providers have no incentive for usable security ? They mostly just want to avoid bad publicity

6 April

2011 Lampson:

4 What Has Worked? ? Worked = gotten wide adoption ? SSL ? Passwords ? Firewalls ? Security life cycle ? Safe languages

6 April

2011 Lampson:

5 Technical Context ? Security is about ? Secrecy Who knows it? ? Integrity Who changed it? ? Availability Is it working? ? Accountability Who is to blame? ? Privacy is about controlling personal information ? What is known―very hard ? How it is used―mainly by regulation ? Two faces of security: Policy vs. bugs ? Policy: user'

s or org'

s rules for security / privacy ? Bugs : ways to avoid policy

6 April

2011 Lampson:

6 Assurance and Threats ? Assurance: ? Policy: Computer settings agree with user'

s or org'

s rules for security / privacy ? Bugs : There is no way to avoid policy ? Assurance depends on the threat model― What the adversary can do. ? This depends on the adversary.There'

s a range: ? User of downloaded tools ↓ ? National intelligence agency

6 April

2011 Lampson:

7 Context: The Access Control Model 1. Isolation boundary limits attacks to channels (no bugs) 2. Access Control for channel traffic 3. Policy management Resource / Object Guard/ Reference monitor Request Agent / Principal Authorization Audit log Authentication 1. Isolation boundary 2. Access control Policy 3. Policy Sink Source Host (CLR, kernel, hardware, VMM, ...)

6 April

2011 Lampson:

8 Context: The Information Flow Model 0. Labeled information 1. Isolation boundary limits flows to channels (no bugs) 2. Flow control based on labels 3. Policy says what flows are allowed Guard / Ref mon Sink Data + Label Source Agent / Principal 0. Labels Authorization Authentication Audit log Policy 1. Isolation boundaryx 2. Egress controlx 3. Policyx Transmit Object / Resource Guard / Ref mon Request Agent / Principal Authorization Audit log Authentication 1. Isolation boundary 2. Access control Policy 3. Policy Sink Source Access Control: